Analysis
-
max time kernel
140s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 19:56
Static task
static1
Behavioral task
behavioral1
Sample
186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe
Resource
win10v2004-20241007-en
General
-
Target
186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe
-
Size
78KB
-
MD5
4a36dab75bd2f192ee8f10b272b63895
-
SHA1
beeaa38a9b06572fa3abee9964098afc17510d53
-
SHA256
186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525
-
SHA512
5d481f83d502f5c793712a7b346abde7e9ca8de4e8c8fe9e3954f984af14c167755bf5f65a9ad90a427f3b48d2235b290433cbb8bb5b886bd7959af919c98e99
-
SSDEEP
1536:i58HLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtd6c9/Vc1Ds:i58rE2EwR4uY41HyvYn9/X
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2632 tmp623C.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2892 186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe 2892 186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" tmp623C.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp623C.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2892 186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe Token: SeDebugPrivilege 2632 tmp623C.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2892 wrote to memory of 2832 2892 186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe 30 PID 2892 wrote to memory of 2832 2892 186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe 30 PID 2892 wrote to memory of 2832 2892 186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe 30 PID 2892 wrote to memory of 2832 2892 186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe 30 PID 2832 wrote to memory of 2660 2832 vbc.exe 32 PID 2832 wrote to memory of 2660 2832 vbc.exe 32 PID 2832 wrote to memory of 2660 2832 vbc.exe 32 PID 2832 wrote to memory of 2660 2832 vbc.exe 32 PID 2892 wrote to memory of 2632 2892 186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe 33 PID 2892 wrote to memory of 2632 2892 186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe 33 PID 2892 wrote to memory of 2632 2892 186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe 33 PID 2892 wrote to memory of 2632 2892 186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe"C:\Users\Admin\AppData\Local\Temp\186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zckvmeso.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES62F8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc62F7.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2660
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp623C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp623C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57095d18999ea3dc84af08a059c3c9aa5
SHA1245aa5d67cfdc094c10ffeba24b1a46b803e4659
SHA256fa6672803c68bfed6154cbd8783a5502b08808472d35311c53d41cb42b7f09a0
SHA5122be0a351b9c55d70e586eb93ea9962064713f7cc65e695fedc3575fbac404835169eea2b13bd83b4308d6b7cf2701711488da3352b5657dfcc996ba9ef69a64f
-
Filesize
78KB
MD5388fd981a3abb2d401980b98cda354c4
SHA1d1f7ec9f16372dc842438e4ae8d7d0a6f64d591f
SHA256da84feec7b1e16f8c99751a7e135557c473c167de8daa6eee7ba834e4eab2f54
SHA51279da5792e76b7716a021327f1e51d6c9dc25e3bca94b724ff181193d0bd450cb03e5f230f9cf21225ea329a45da51f55a66c1ab89c4368e0bf98c14ab147aa01
-
Filesize
660B
MD538c34d632bddfeed8fbffd28d5ea2735
SHA11c53b4682597bf14a4b6fa49c6d5f188361b9658
SHA2566dd2e89bde4dca1064901e7bf05115933414448d41519345c9d9d9843b0500ea
SHA512ba06ba88648759c2f8bdba45ee090611fa8af65d1542d8a720faa09c822abc2baea905b8b95175a7a73d803e799c023b7799e563aa1af6d0a211344eb7f18e9e
-
Filesize
62KB
MD56870a276e0bed6dd5394d178156ebad0
SHA19b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA25669db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA5123b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809
-
Filesize
14KB
MD55e966f43011e32ce65fddfe82e5cf7af
SHA16bdcd3bc8f3f04662a303886567fb1e506fc2517
SHA256dfcd79c03aa196a7ad6d9b5d1d68330c44b97ec4b601fd9d62e0c848d569f3ff
SHA512585e26e9afe63295fa35c68d53c659539dd32ab132cd8eb082092fe1d00030024ed800e6e04c97ce400ae951353b70c299f8804aa2eb31a11844361d3fae330c
-
Filesize
266B
MD574d3030b613aa67e4d68cd64167bf4d8
SHA1653ab396d32ec6ebc413f22eee1258b74edb2928
SHA256d2bb3ee29477ca083da3f6934ef553fb75ea59381185bad319ca15002438a827
SHA512e1903fe9314a73a3c227548854a0dea148aff81786526609e9669a013aa3cafaccd20bc150bade1abde2bdfa90b62eefee9058cdfbcc913f79f57aa753ffc14b